[28775] in North American Network Operators' Group
Re: New Internet-draft on DDOS defense...
daemon@ATHENA.MIT.EDU (Vipul Shah)
Tue May 16 06:15:59 2000
Message-Id: <s920cad3.014@prv-mail20.provo.novell.com>
Date: Tue, 16 May 2000 03:58:37 -0600
From: "Vipul Shah" <svipul@novell.com>
To: <nanog@merit.edu>
Cc: <mixter@newyorkoffice.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Errors-To: owner-nanog-outgoing@merit.edu
>>> <mixter@newyorkoffice.com> 05/13/00 07:19PM >>>
Hi,
I'm sorry it took me so long to reply. I couldn't find the particular
message, and there seemed to be a couple of new ones, so I'm posting
my reply here...
It is true that with the proposed solution, attackers can still launch
smurf attacks with the broadcast of a local LAN, however they cannot
use arbitrary broadcasts to commence smurf attacks. They have to get
inside access on every subnet they want to smurf from, which also means
they can be tracked down by looking at the broadcast replies to the =
victim.
Also, it is true that the bandwidth of a smurf is a multiple of the
attackers bandwidth, so it is relevant. But launching *smurf* attacks
(not DDOS) from anything as fast as an OC-12 would simply overload the
used broadcast addresses. The maximal bandwidth of each broadcast reply
is the bandwidth of the subnet whose broadcast you're pinging, it is not
limited only by your own bandwidth. That's also the point why only the use
of *many different* broadcasts at a time can launch a devastating attack.
You would have to operate from several moderately-fast boxes, e.g. smurf
with 100 different broadcast addresses, each from one T1, or smurf
them from a T3, cycling through the broadcast list, in order not to
concentrate to much bandwith on a single broadcast, which could overload
the broadcast itself (like the smurf.c programs do).
Additionally, the proposed solution is obviously meant to be implemented
along with ingress traffic policing. If a subnets external router uses=20
both rfc1122 and ingress filtering rules, there is no chance for an
outside or inside attacker to ever launch a broadcast amplifier flood.
On Fri, 12 May 2000, Vipul Shah wrote:
> Mixter,
>=20
> Currently, we have started a discussion thread on NANOG mailing list =
for=20
DDoS Smurf attack solution...
> http://www.merit.edu/mail.archives/nanog/=20
>=20
> One of the response (attached mail) says that, such Smurf attack is =
not=20
effective unless it is launched from sites with switched ethernet and OC-3 =
or=20
better connectivity. Hence it is not beneficial to any attacker.
>=20
> Since I don't have experience/knowledge about which kind of sites are=20
compromized for generating attacks, I suggest , if you can reply to the =
attached
mail (either to me or directly to NANOG list). Like kind of networks used =
for=20
launching attacks and typical number of DDoS agents. Such knowledge =
will=20
help us to finalize , whether the proposed solution is useful to implement =
or not?
>=20
> Thanks,
> Vipul
>=20
